It's not by any means exhaustive, but we're still going to change the
implementation, so let's just use this as a starting point.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
These values match against the client IDs only, so let's rename it to
something that actually reflects that. Having client.cert in the same
namespace also could lead to confusion, because the client.cert setting
is for the *debugging* client only.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Referring to the GnuTLS documentation isn't very nice if the user has to
use a search engine to find that documentation. So let's directly link
to it.
The type was "str" before, but it's actually a colon-separated string,
so if we set options in multiple modules, the result is one concatenated
string.
I know there is types.envVar, which does the same as separatedString ":"
but I found that it could confuse the reader of the Taskserver module.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We already document that we allow special values such as "all" and
"none", but the type doesn't represent that. So let's use an enum in
conjuction with a loeOf type so that this becomes clear.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The option authzldapauthoritative had been removed in 2.4
I pushed this into 16.03 instead of master first. My fault.
(cherry picked from commit 516f47efef)
Using nixos-taskserver is more verbose but less cryptic and I think it
fits the purpose better because it can't be confused to be a wrapper
around the taskdctl command from the upstream project as
nixos-taskserver shares no commonalities with it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
With a cluttered up module source it's really a pain to navigate through
it, so it's a good idea to put it into another file.
No changes in functionality here, just splitting up the files and fixing
references.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Finally, this is where we declaratively set up our organisations and
users/groups, which looks like this in the system configuration:
services.taskserver.organisations.NixOS.users = [ "alice" "bob" ];
This automatically sets up "alice" and "bob" for the "NixOS"
organisation, generates the required client keys and signs it via the
CA.
However, we still need to use nixos-taskdctl export-user in order to
import these certificates on the client.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
It's a helper for NixOS systems to make it easier to handle CA
certificate signing, similar to what taskd provides but comes preseeded
with the values from the system configuration.
The tool is very limited at the moment and only allows to *add*
organisations, users and groups. Deletion and suspension however is much
simpler to implement, because we don't need to handle certificate
signing.
Another limitation is that we don't take into account whether
certificates and keys are already set in the system configuration and if
they're set it will fail spectacularly.
For passing the commands to the taskd command, we're using a small C
program which does setuid() and setgid() to the Taskserver user and
group, because runuser(1) needs PAM (quite pointless if you're already
root) and su(1) doesn't allow for setting the group and setgid()s to the
default group of the user, so it even doesn't work in conjunction with
sg(1).
In summary, we now have a shiny nixos-taskdctl command, which lets us do
things like:
nixos-taskdctl add-org NixOS
nixos-taskdctl add-user NixOS alice
nixos-taskdctl export-user NixOS alice
The last command writes a series of shell commands to stdout, which then
can be imported on the client by piping it into a shell as well as doing
it for example via SSH:
ssh root@server nixos-taskdctl export-user NixOS alice | sh
Of course, in terms of security we need to improve this even further so
that we generate the private key on the client and just send a CSR to
the server so that we don't need to push any secrets over the wire.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We want to declaratively specify users and organisations, so let's add
another module option "organisations", which allows us to specify users,
groups and of course organisations.
The implementation of this is not yet done and this is just to feed the
boilerplate.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Using just the host for the common name *and* for listening on the port
is quite a bad idea if you want to listen on something like :: or an
internal IP address which is proxied/tunneled to the outside.
Hence this separates host and fqdn.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The server starts up without that option anyway, but it complains about
its value not being set. As we probably want to have access to that
configuration value anyway, let's expose this via the NixOS module as
well.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Now the service starts up if only the services.taskserver.enable option
is set to true.
We now also have three systemd services (started in this order):
* taskserver-init: For creating the necessary data directory and also
includes a refecence to the configuration file in
the Nix store.
* taskserver-ca: Only enabled if none of the server.key, server.cert,
server.crl and caCert options are set, so we can
allow for certificates that are issued by another
CA.
This service creates a new CA key+certificate and a
server key+certificate and signs the latter using
the CA key.
The permissions of these keys/certs are set quite
strictly to allow only the root user to sign
certificates.
* taskserver: The main Taskserver service which just starts taskd.
We now also log to stdout and thus to the journal.
Of course, there are still a few problems left to solve, for instance:
* The CA currently only signs the server certificates, so it's
only usable for clients if the server doesn't validate client certs
(which is kinda pointless).
* Using "taskd <command>" is currently still a bit awkward to use, so
we need to properly wrap it in environment.systemPackages to set the
dataDir by default.
* There are still a few configuration options left to include, for
example the "trust" option.
* We might want to introduce an extraConfig option.
* It might be useful to allow for declarative configuration of
organisations and users, especially when it comes to creating client
certificates.
* The right signal has to be sent for the taskserver service to reload
properly.
* Currently the CA and server certificates are created using
server.host as the common name and doesn't set additional certificate
information. This could be improved by adding options that explicitly
set that information.
As for the config file, we might need to patch taskd to allow for
setting not only --data but also a --cfgfile, which then omits the
${dataDir}/config file. We can still use the "include" directive from
the file specified using --cfgfile in order to chainload
${dataDir}/config.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The descriptions for the options previously seem to be from the
taskdrc(5) manual page. So in cases where they didn't make sense for us
I changed the wording a bit (for example for client.deny we don't have a
"comma-separated list".
Also, I've reordered things a bit for consistency (type, default,
example and then description) and add missing types, examples and
docbook tags.
Options that are not used by default now have a null value, so that we
can generate a configuration file out of all the options defined for the
module.
The dataDir default value is now /var/lib/taskserver, because it doesn't
make sense to put just yet another empty subdirectory in it and "data"
doesn't quite make sense anyway, because it also contains the
configuration file as well.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We're aiming for a proper integration into systemd/journald, so we
really don't want zillions of separate log files flying around in our
system.
Same as with the pidFile. The latter is only needed for taskdctl, which
is a SysV-style initscript and all of its functionality plus a lot more
is handled by systemd already.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The service doesn't start with the "taskd" user being present, so we
really should add it. And while at it, it really makes sense to add a
default group as well.
I'm using a check for the user/group name as well, to allow the
taskserver to be run as an existing user.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
I'm renaming the attribute name for uid, because the user name is called
"taskd" so we should really use the same name for it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Most of the desktop environments will spawn pulseaudio, but we can instead simply run it as a systemd service instead.
This patch also makes the system wide service run in foreground as recommended by the systemd projects and allows it to use sd_notify to signal ready instead of reading a pid written to a file. It is now also restarted on failure.
The user version has been tested with KDE and works fine there.
The system-wide version runs, but I haven't actually used it and upstream does not recommend running in this mode.
This patch makes dbus launch with any user session instead of
leaving it up to the desktop environment launch script to run it.
It has been tested with KDE, which simply uses the running daemon
instead of launching its own.
This is upstream's recommended way to run dbus.
Without the templating (which is still present for imperative containers), it
will be possible to set individual dependencies. Like depending on the network
only if the hostbridge or hardware interfaces are used.
Ported from #3021
This allows the containers to have their interface in a bridge on the host.
Also this adds IPv6 addresses to the containers both with bridged and unbridged
network.
This reverts commit 45c218f893.
Busybox's modprobe causes numerous "Unknown symbol" errors in the
kernel log, even though the modules do appear to load correctly.
NixOps has infrequent releases, so it's not the best place for keeping
the list of current AMIs. Putting them in Nixpkgs means that AMI
updates will be delivered as part of the NixOS channels.
We now generate a qcow2 image to prevent hitting Hydra's output size
limit. Also updated /root/user-data -> /etc/ec2-metadata/user-data.
http://hydra.nixos.org/build/33843133
This basic module allows you to specify the tmux configuration.
As great as tmux is, some of the defaults are pretty awful, so having a
way to specify the config really helps.
- services.iodined moved to services.iodine
- configuration file backwards compatable
- old iodine server configuration moved to services.iodine.server
- attribute set services.iodine.clients added to specify any number
of iodine clients
- example:
iodine.clients.home = { server = "iodinesubdomain.yourserver.com"; ... };
- client services names iodine-name where name would be home
Systemd 229 sets kernel.core_pattern to "|/bin/false" by default,
unless systemd-coredump is enabled. Revert back to the default of
writing "core" in the current directory.
This reverts commit e8e8164f34. I
misread the original commit as adding the "which" package, but it only
adds it to base.nix. So then the original motivation (making it work
in subshells) doesn't hold. Note that we already have some convenience
aliases that don't work in subshells either (such as "ll").
Previously, the cisco resolver was used on the theory that it would
provide the best user experience regardless of location. The downsides
of cisco are 1) logging; 2) missing supoprt for DNS security extensions.
The new upstream resolver is located in Holland, supports DNS security,
and *claims* to not log activity. For users outside of Europe, this will
mean reduced performance, but I believe it's a worthy tradeoff.
When iodined tries to start before any interface other than loopback has an ip, iodined fails.
Wait for ip-up.target
The above is because of the following:
in iodined's code: src/common.c line 157
the flag AI_ADDRCONFIG is passed as a flag to getaddrinfo.
Iodine uses the function
get_addr(char *host,
int port,
int addr_family,
int flags,
struct sockaddr_storage *out);
to get address information via getaddrinfo().
Within get_addr, the flag AI_ADDRCONFIG is forced.
What this flag does, is cause getaddrinfo to return
"Name or service not known" as an error explicitly if no ip
has been assigned to the computer.
see getaddrinfo(3)
Wait for an ip before starting iodined.
* the major change is to set TARGETDIR=${vardir}, and symlink from
${vardir} back to ${out} instead of the other way around. this
gives CP more liberty to write to more directories -- in particular
it seems to want to write some configuration files outside of conf?
* run.conf does not need 'export'
* minor tweaks to CrashPlanDesktop.patch
GnuPG 2.1.x changed the way the gpg-agent works, and that new approach no
longer requires (or even supports) the "start everything as a child of the
agent" scheme we've implemented in NixOS for older versions.
To configure the gpg-agent for your X session, add the following code to
~/.xsession or some other appropriate place that's sourced at start-up:
gpg-connect-agent /bye
GPG_TTY=$(tty)
export GPG_TTY
If you want to use gpg-agent for SSH, too, also add the settings
unset SSH_AGENT_PID
export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh"
and make sure that
enable-ssh-support
is included in your ~/.gnupg/gpg-agent.conf.
The gpg-agent(1) man page has more details about this subject, i.e. in the
"EXAMPLES" section.
This patch fixes https://github.com/NixOS/nixpkgs/issues/12927.
It would be great to configure good rate-limiting defaults for this via
/proc/sys/net/ipv4/icmp_ratelimit and /proc/sys/net/ipv6/icmp/ratelimit,
too, but I didn't since I don't know what a "good default" would be.
Some users may wish to improve their privacy by using per-query
key pairs, which makes it more difficult for upstream resolvers to
track users across IP addresses.
- fix `enable` option description
using `mkEnableOption longDescription` is incorrect; override
`description` instead
- additional details for proper usage of the service, including
an example of the recommended configuration
- clarify `localAddress` option description
- clarify `localPort` option description
- clarify `customResolver` option description
Previously this was done in three derivations (one to build the raw
disk image, one to convert to OVA, one to add a hydra-build-products
file). Now it's done in one step to reduce the amount of copying
to/from S3. In particular, not uploading the raw disk image prevents
us from hitting hydra-queue-runner's size limit of 2 GiB.
This commit implements the changes necessary to start up a graphite carbon Cache
with twisted and start the corresponding graphiteWeb service.
Dependencies need to be included via python buildEnv to include all recursive
implicit dependencies.
Additionally cairo is a requirement of graphiteWeb and pycairo is not a standard
python package (buildPythonPackage) and therefore cannot be included via
buildEnv. It also needs cairo in the Library PATH.
Also add required systemd services for starting/stopping mdmon.
Closes#13447.
abbradar: fixed `mdadmShutdown` service name according to de facto conventions.
Accidentally broken by 4fede53c09
("nixos manuals: bring back package references").
Without this fix, grafana won't start:
$ systemctl status grafana
...
systemd[1]: Starting Grafana Service Daemon...
systemd[1]: Started Grafana Service Daemon.
grafana[666]: 2016/03/06 19:57:32 [log.go:75 Fatal()] [E] Failed to detect generated css or javascript files in static root (%!s(MISSING)), have you executed default grunt task?
systemd[1]: grafana.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: grafana.service: Unit entered failed state.
systemd[1]: grafana.service: Failed with result 'exit-code'.
Broken by 17389e256f.
The description attributes of mkOption are parsed by XSLT, so we can
create a DocBook manual out of it.
Unfortunately, the passwordHash option had a description which includes
a <password> placeholder which is recognized by DocBook XSL as a valid
start tag. So as there is obviously no </password>, the build of the
manual bailed out with a parsing error.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Reported-by: devhell <"^"@regexmail.net>
Since we don't restart sysinit.service in switch-to-configuration, this
additionally overrides systemd-binfmt.service to depend on
proc-sys-fs-binfmt_misc.automount, which is normally provided by
sysinit.service.
In NixOS/nixpkgs@da6bc44 @thoughtpolice
made the Transmission NixOS module override the umask setting in the
Transmission config. This commit removes that override.
I want a different umask setting and I guess it is possible that other
people might want it to. Thus I think it is a good idea to respect the
umask settings in the Transmission config.
Add ability to do a more traditional bspwm startup (using the bspwm-session
script provided by nixpkgs.bspwm) as an alternative to directly starting
sxhkd & bspwm
Also added the ability to specify a custom startup script, instead of
relying on the provided bspwm-session
add '-f 100' as an argument to sxhkd to keep it from flooding bspwm
add SXHKD_SHELL=/bin/sh to help default to a faster shell than what may
be set in $SHELL (example: with zsh)
- Enforce that an option declaration has a "defaultText" if and only if the
type of the option derives from "package", "packageSet" or "nixpkgsConfig"
and if a "default" attribute is defined.
- Enforce that the value of the "example" attribute is wrapped with "literalExample"
if the type of the option derives from "package", "packageSet" or "nixpkgsConfig".
- Warn if a "defaultText" is defined in an option declaration if the type of
the option does not derive from "package", "packageSet" or "nixpkgsConfig".
- Warn if no "type" is defined in an option declaration.
Both Qt and GTK load plugins from the active profiles
automatically, so it is sufficient to install input methods
system-wide. Overriding the plugin paths may interfere with correct
operation of other plugins.
Updates gitlab to the current stable version and fixes a lot of features that
were broken, at least with the current version and our configuration.
Quite a lot of sweat and tears has gone into testing nearly all features and
reading/patching the Gitlab source as we're about to deploy gitlab for our
whole company.
Things to note:
* The gitlab config is now written as a nix attribute set and will be
converted to JSON. Gitlab uses YAML but JSON is a subset of YAML.
The `extraConfig` opition is also an attribute set that will be merged
with the default config. This way *all* Gitlab options are supported.
* Some paths like uploads and configs are hardcoded in rails (at least
after my study of the Gitlab source). This is why they are linked from
the Gitlab root to /run/gitlab and then linked to the configurable
`statePath`.
* Backup & restore should work out of the box from another Gitlab instance.
* gitlab-git-http-server has been replaced by gitlab-workhorse upstream.
Push & pull over HTTPS works perfectly. Communication to gitlab is done
over unix sockets. An HTTP server is required to proxy requests to
gitlab-workhorse over another unix socket at
`/run/gitlab/gitlab-workhorse.socket`.
* The user & group running gitlab are now configurable. These can even be
changed for live instances.
* The initial email address & password of the root user can be configured.
Fixes#8598.
NetworkManager needs an additional avahi-user to use link-local
IPv4 (and probably IPv6) addresses. avahi-autoipd also needs to be
patched to the right path.
Add a module to make options to pam_oath module configurable.
These are:
- enable - enable the OATH pam module
- window - number of OTPs to check
- digits - length of the OTP (adds support for two-factor auth)
- usersFile - filename to store OATH credentials in
We don't want to build all those things along with the manual, so that's
what the defaultText attribute is for.
Unfortunately a few of them were missing, so let's add them.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit adds the firmware for the Intel 2200BG wireless cards for
the ipw2200 kernel module. Also it changes the
networking.enableIntel2200BGFirmware option to set it as
hardware.firmware since firmware-linux-nonfree does not contain the
appropiate firmware anymore. Also hardware.enableAllFirmware does enable
the intel2200BGFirmware now.
This reverts commit b861bf8ddf, because according to @mdorman [1] this
change rendered his NixOS systems unbootable, and we probably don't want that.
[1] b861bf8ddf (commitcomment-16058598)
Allow usage of list of strings instead of a comma-separated string
for filesystem options. Deprecate the comma-separated string style
with a warning message; convert this to a hard error after 16.09.
15.09 was just released, so this provides a deprecation period during
the 16.03 release.
closes#10518
Signed-off-by: Robin Gloster <mail@glob.in>
The test only checked for existence of the rule file in the output path
of the rulefile generator.
However, we also need to check whether the basename of the file is also
the one we're currently searching for.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Partially reverts the following commits:
9f2a61c59c9c13fe6604
As @edolstra pointed out, it would make more sense to do this by default
instead of having that allowImpurePaths option. This of course might
break systems which add extra packages to udev, but on the upside it's
hard to miss one of these paths now because it won't get buried in the
ocean of build output lines.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
So far we were merely printing a warning if there are still references
to (/usr)/s?bin, but we actually want to make sure that we fix those
paths, especially on updates of packages that come with udev rules.
This adds a new option allowImpurePaths, which when set to false will
cause the "udev-rules" derivation to fail.
I've set this to true by default, to not break existing systems too much
and the intention is to set it to false for a few NixOS VM tests.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We were trying to find FHS references in all of the rules found in
services.udev.packages. Unfortunately we're still fixing up paths in the
same derivation where we are checking those references, so for example
references to /sbin/modprobe were still printed to be needed to fixup
even though they were already fixed at the time.
So now we're printing a more helpful warning message which is also
conditional (before the warning message was printed regardless of
whether there are any rules that need fixup) and is based off the rules
that were already fixed up.
The new warning message not only contains the build-local rule files but
also the original files from other store paths and the FHS path
references that were still found.
With 8ecd3a5e1d reverted, we now get this:
/nix/store/...-udev-rules/63-md-raid-arrays.rules (originally from
/nix/store/...-mdadm-3.3.4/lib/udev/rules.d/63-md-raid-arrays.rules)
contains references to /usr/bin/readlink and /usr/bin/basename.
Which is now more accurate to what is not yet fixed and where it's
coming from.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
In 8ecd3a5, we fixed up the FHS paths for stage 1, but unfortunately we
have a similar udev rules generator twice one for the initrd and one
without. So we might need to refactor this in the future.
For now, let's just fix the references to readlink and basename in the
udev module as well until we have properly addressed this.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #12722
It's not entirely clear why this happens, but sometimes /proc/1/exe
returns a bogus value, like
/ar3a3j6b9livhy5fcfv69izslhgk4gcz-systemd-217/lib/systemd/systemd. In
any case, we can just conservatively assume that we need to restart
systemd when this happens.
Fixes#10261.
This reverts most of 89e983786a, as those references are sanitized now.
Fixes#10039, at least most of it.
The `sane` case wasn't fixed, as it calls a *function* in pkgs to get
the default value.
This is an improved version of original #12357.
For the purpose of generating docs, evaluate options with each derivation
in `pkgs` (recursively) replaced by a fake with path "\${pkgs.attribute.path}".
It isn't perfect, but it seems to cover a vast majority of use cases.
Caveat: even if the package is reached by a different means,
the path above will be shown and not e.g. `${config.services.foo.package}`.
As before, defaults created by `mkDefault` aren't displayed,
but documentation shouldn't (mostly) be a reason to use that anymore.
Note: t wouldn't be enough to just use `lib.mapAttrsRecursive`,
because derivations are also (special) attribute sets.
Fixes references coming from the mdadm udev rules.
This addresses #12722 (mdadm udev rules have references to /usr/bin) but
still won't fix the warning, though (if we want to fix the warnings, we
will have to patch the udev rules generater in services/hardware/udev).
For common mdraid functionality, this shouldn't fix anything, because
the wrong references seem to only apply to containers, see these
(wrapped) lines from ${mdadm}/lib/udev/rules.d/63-md-raid-arrays.rules:
# Tell systemd to run mdmon for our container, if we need it.
ENV{MD_LEVEL}=="raid[1-9]*",
ENV{MD_CONTAINER}=="?*",
PROGRAM="/usr/bin/readlink $env{MD_CONTAINER}",
ENV{MD_MON_THIS}="%c"
ENV{MD_MON_THIS}=="?*",
PROGRAM="/usr/bin/basename $env{MD_MON_THIS}",
ENV{SYSTEMD_WANTS}+="mdmon@%c.service"
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Partially reverts commit 901163c0c7.
This has broken remote SSH into initrd because ${cfg.shell} is not
expanded. Also, nsswitch is useless without libnss_files.so which
are installed by initrd-ssh.
This is a regression introduced by merging the EBS and S3 images. The
EBS images had a special marker /.ebs to prevent the initrd from using
ephemeral storage for the unionfs, but this marker was missing in the
consolidated image.
The fix is to check the file ami-manifest-path on the metadata server
to see if we're an S3-based instance. This does require networking in
the initrd.
Issue #12613.
The default behavior with an m3.medium instance is to relocate
/nix and /tmp to /disk0 because an assumption is made that any
ephemeral disk is larger than the root volume. Rather than make
that assumption, add a check to see if the disk is larger, and
only then relocate /nix and /tmp.
This addresses https://github.com/NixOS/nixpkgs/issues/12613
Regression introduced by 5184aaa1ea.
The fix was intended to remove the "x == true/false" assertions, but by
accident a "x == false" was made "x == true" instead of "(!x)".
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Reported-by: devhell <"^"@regexmail.net>
Reportedly some ARM boards need some boot code at the start of a SD card
that could be larger than a megabyte. Change it to 8M, and while at it
reduce the /boot size such that the root partition should now start on a
128M boundary (the flash on SD cards really don't like non-aligned
writes these days).
Before the error if the wrong default desktop was chosen would be:
/nixpkgs-channels/lib/modules.nix:282:11:
Default desktop manager ($(defaultDM)) not found.
which has the string interpolation done incorreclty. Now that is fixed
and it is more user-friendly as:
/nixpkgs-channels/lib/modules.nix:282:11:
Default desktop manager (gnome) not found.
Probably you want to change
services.xserver.desktopManager.default = "gnome";
to one of
services.xserver.desktopManager.default = "gnome3";
services.xserver.desktopManager.default = "none";
- Fixed a bug in bluedevil (link to a .js file)
- Made bluez5 the default bluetooth service except for kde4
- created org.bluez.obex systemd dbus service
- Patched bluez5 using bluez-5.37-obexd_without_systemd-1.patch
in order to enable obex when using either the bluedevil plasmoid
or dolpin file manager within plasma workspaces 5.
The functionality was tested using a Sony Xperia Z, the machine
and the handset paired and two different files were sent in both
directions successfully.
- Now `pkg.outputUnspecified = true` but this attribute is missing in
every output, so we can recognize whether the user chose or not.
If (s)he didn't choose, we put `pkg.bin or pkg.out or pkg` into
`systemPackages`.
- `outputsToLink` is replaced by `extraOutputsToLink`.
We add extra outputs *regardless* of whether the user chose anything.
It's mainly meant for outputs with docs and debug symbols.
- Note that as a result, some libraries will disappear from system path.
- added numlock on boot switch
- simply add :
services.xserver.displayManager.sddm.autoNumlock = true;
to configuration.nix and sddm will start
with numlock enabled.
If we limit SSH_ASKPASS to interactive shells, users are unable to trigger
the ssh-passphrase dialog from their desktop environment autostart scripts.
Usecase: I call ssh-add during my desktop environment autostart and want to have
the passphrase dialog immediately after startup.
For this to work, SSH_ASKPASS needs to be propagated properly on
non-interactive shells.
See http://nixos.org/nixpkgs/manual/#sec-package-naming
I've added an alias for multipath_tools to make sure that we don't break
existing configurations referencing the old name.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
